I'm running CME4.0 & IOS 12.4(9)T on a 2801. I've configured the 'new' zone-based firewall and I'm using this instead of the old 'ip inspect' lines and traditional CBAC config.
Currently, if I have the voice interface on the router in a zone and inspect TCP & UDP traffic, I can make phone calls out (via FXO) and the remote party can hear me, but I can't hear them - presumably the return call traffic isn't being permitted by the firewall. If I take the voice interface out of the zone, it works fine.
Does anyone have any guidance on the best way to permit skinny traffic from IP phones to the router and vice versa?
The router seems unable to accept a 'match skinny' line in any class-map used by a policy-map which is attached to a zone with 'self' as either the source or destination. When I try to add 'match skinny' to the class I receive the following error:
%Protocol not supported for self-zone traffic inspection in policy-map voice2self-pol on zone-pair voice2self
Is there an alternative way to tell the router to inspect skinny traffic from phones to the router? I want to avoid any strangeness I might induce if I use CBAC-style inspect lines /as well as/ the zone-based firewall.
And if I don't have the voice interface in a zone, then the phones won't be able to talk to the other zones which will be a requirement in the future.
Any ideas appreciated.